From 38b2efc44cf3345d97798e9637db241b05e2dded Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Sat, 29 Aug 2009 11:43:10 -0700
Subject: Fix for 641... extend viewable functionality to comments. Viewable
 unit test is not working.

---
 modules/comment/helpers/comment_rss.php | 55 +++++++++++++++------------------
 modules/comment/models/comment.php      | 10 ++++++
 2 files changed, 35 insertions(+), 30 deletions(-)

(limited to 'modules/comment')

diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php
index ab3d2283..a8171ce7 100644
--- a/modules/comment/helpers/comment_rss.php
+++ b/modules/comment/helpers/comment_rss.php
@@ -33,42 +33,37 @@ class comment_rss_Core {
       return;
     }
 
-    $comments = ORM::factory("comment")
-      ->where("state", "published")
-      ->orderby("created", "DESC");
-    $all_comments = ORM::factory("comment")
+    $comment_model = ORM::factory("comment")
+      ->viewable()
       ->where("state", "published")
       ->orderby("created", "DESC");
 
     if ($feed_id == "item") {
-      $comments->where("item_id", $id);
-      $all_comments->where("item_id", $id);
+      $comment_model->where("item_id", $id);
     }
 
-    if (!empty($comments)) {
-      $feed->view = "comment.mrss";
-      $comments = $comments->find_all($limit, $offset);
-      $feed->children = array();
-      foreach ($comments as $comment) {
-        $item = $comment->item();
-        $feed->children[] = new ArrayObject(
-          array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
-                "text" => nl2br(p::purify($comment->text)),
-                "thumb_url" => $item->thumb_url(),
-                "thumb_height" => $item->thumb_height,
-                "thumb_width" => $item->thumb_width,
-                "item_uri" => url::abs_site("{$item->type}s/$item->id"),
-                "title" => p::purify($item->title),
-                "author" => p::clean($comment->author_name())),
-          ArrayObject::ARRAY_AS_PROPS);
-      }
+    $comments = $comment_model->find_all($limit, $offset);
+    $feed->view = "comment.mrss";
+    $feed->children = array();
+    foreach ($comments as $comment) {
+      $item = $comment->item();
+      $feed->children[] = new ArrayObject(
+        array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
+              "text" => nl2br(p::purify($comment->text)),
+              "thumb_url" => $item->thumb_url(),
+              "thumb_height" => $item->thumb_height,
+              "thumb_width" => $item->thumb_width,
+              "item_uri" => url::abs_site("{$item->type}s/$item->id"),
+              "title" => p::purify($item->title),
+              "author" => p::clean($comment->author_name())),
+        ArrayObject::ARRAY_AS_PROPS);
+    }
 
-      $feed->max_pages = ceil($all_comments->find_all()->count() / $limit);
-      $feed->title = htmlspecialchars(t("Recent Comments"));
-      $feed->uri = url::abs_site("albums/" . (empty($id) ? "1" : $id));
-      $feed->description = t("Recent Comments");
+    $feed->max_pages = ceil($comment_model->count_all() / $limit);
+    $feed->title = htmlspecialchars(t("Recent Comments"));
+    $feed->uri = url::abs_site("albums/" . (empty($id) ? "1" : $id));
+    $feed->description = t("Recent Comments");
 
-      return $feed;
-    }
+    return $feed;
   }
-}
\ No newline at end of file
+}
diff --git a/modules/comment/models/comment.php b/modules/comment/models/comment.php
index 83d0888a..de9b0cd6 100644
--- a/modules/comment/models/comment.php
+++ b/modules/comment/models/comment.php
@@ -80,4 +80,14 @@ class Comment_Model extends ORM {
 
     return $this;
   }
+
+  /**
+   * Add a set of restrictions to any following queries to restrict access only to items
+   * viewable by the active user.
+   * @chainable
+   */
+  public function viewable() {
+    $this->join("items", "items.id", "comments.item_id");
+    return item::viewable($this);
+  }
 }
-- 
cgit v1.2.3


From d85a8b20bbe0a5be0a03da70354169d41f418d41 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 29 Aug 2009 11:48:49 -0700
Subject: Rename $comment_model to $comments.

---
 modules/comment/helpers/comment_rss.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'modules/comment')

diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php
index a8171ce7..e233de59 100644
--- a/modules/comment/helpers/comment_rss.php
+++ b/modules/comment/helpers/comment_rss.php
@@ -33,16 +33,16 @@ class comment_rss_Core {
       return;
     }
 
-    $comment_model = ORM::factory("comment")
+    $comments = ORM::factory("comment")
       ->viewable()
       ->where("state", "published")
       ->orderby("created", "DESC");
 
     if ($feed_id == "item") {
-      $comment_model->where("item_id", $id);
+      $comments->where("item_id", $id);
     }
 
-    $comments = $comment_model->find_all($limit, $offset);
+    $comments = $comments->find_all($limit, $offset);
     $feed->view = "comment.mrss";
     $feed->children = array();
     foreach ($comments as $comment) {
@@ -59,7 +59,7 @@ class comment_rss_Core {
         ArrayObject::ARRAY_AS_PROPS);
     }
 
-    $feed->max_pages = ceil($comment_model->count_all() / $limit);
+    $feed->max_pages = ceil($comments->count_all() / $limit);
     $feed->title = htmlspecialchars(t("Recent Comments"));
     $feed->uri = url::abs_site("albums/" . (empty($id) ? "1" : $id));
     $feed->description = t("Recent Comments");
-- 
cgit v1.2.3


From cd1fd4989f394f6e8084b8101a8dbdb3030c52aa Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 29 Aug 2009 12:22:00 -0700
Subject: Add a test for Comment_Model::viewable().

---
 modules/comment/tests/Comment_Model_Test.php | 40 ++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 modules/comment/tests/Comment_Model_Test.php

(limited to 'modules/comment')

diff --git a/modules/comment/tests/Comment_Model_Test.php b/modules/comment/tests/Comment_Model_Test.php
new file mode 100644
index 00000000..f4c68b15
--- /dev/null
+++ b/modules/comment/tests/Comment_Model_Test.php
@@ -0,0 +1,40 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Comment_Model_Test extends Unit_Test_Case {
+
+  public function cant_view_comments_for_unviewable_items_test() {
+    $root = ORM::factory("item", 1);
+    $album = album::create($root, rand(), rand(), rand());
+    $comment = comment::create($album, user::guest(), "text", "name", "email", "url");
+    user::set_active(user::guest());
+
+    // We can see the comment when permissions are granted on the album
+    access::allow(group::everybody(), "view", $album);
+    $this->assert_equal(
+      1,
+      ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all());
+
+    // We can't see the comment when permissions are denied on the album
+    access::deny(group::everybody(), "view", $album);
+    $this->assert_equal(
+      0,
+      ORM::factory("comment")->viewable()->where("comments.id", $comment->id)->count_all());
+  }
+}
-- 
cgit v1.2.3